CVE-2021-20180 — Insertion of Sensitive Information into Log File in ansible

Description

A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality.

How to fix CVE-2021-20180

To remediate CVE-2021-20180, upgrade the affected package to a fixed version below.

—upgrade to 2.10.7-1 or later
—upgrade to 2.8.19 or later

Is CVE-2021-20180 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.10.7-1
>= 2.8.0a1, < 2.8.19

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.5	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (10)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-20180
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-20180
PATCHgithub.com/ansible/ansible
WEBbugzilla.redhat.com/show_bug.cgi?id=1915808
WEB